JFrog (NASDAQ:FROG) executives used a recent investor discussion at Cantor Fitzgerald to address market concerns about AI coding agents and to reiterate the company’s differentiation in binary-level software supply chain management and security. The conversation featured CFO Ed Grabscheid and IR leader Jeff Schreiner alongside Cantor Fitzgerald analyst Jonathan Ruykhaver.
Binary security vs. source code security
A central theme of the discussion was the distinction between source code security and binary security. Schreiner said a key misconception among investors is conflating source code—kept behind an organization’s firewall—with binaries, which are deployed “into the wild” and exposed to external threats.
As an example of the continuing need for binary-level protections, Schreiner pointed to secrets detection. He noted that even if developers intend to remove secrets before compiling, once compilation occurs the secret can be embedded in a binary and become available to malicious actors.
Xray adoption and the path to Advanced Security and Curation
Grabscheid outlined how JFrog positions and monetizes its security portfolio. He said Xray is included in the company’s enterprise platform and in its Pro X subscription and serves as “ground zero” for scanning binaries for malicious packages after artifacts are brought into an organization.
He described JFrog Advanced Security and Curation as add-on products that require Artifactory and an enterprise subscription. Grabscheid said the company currently has about 3,000 JFrog users and customers using Xray, representing the opportunity set for converting to Advanced Security and Curation. He added that JFrog has “hundreds of customers” using the add-on security offerings, without providing an exact number.
Grabscheid also cited the company’s reported business mix at the end of the fourth quarter, stating that security contributes:
- 16% of remaining performance obligations (RPO)
- 10% of annual recurring revenue (ARR)
- 7% of revenue
He said JFrog saw “great momentum” in the second half of 2025, particularly around “protecting the castle” through Curation, and that Advanced Security is being adopted as customers consolidate away from point solutions.
AI agents, “Switzerland” positioning, and foundational AI customers
On the question of whether AI tools could bypass traditional programming languages and produce binaries more directly, Schreiner said customers are still in an early phase of understanding and implementing agents and are currently focused on securing agent usage. He added that if development shifts toward starting at the binary, the importance of binaries would increase, which could draw more attention to JFrog as a system of record.
Ruykhaver also raised the value of independence and “trust” if different model providers generate and consume artifacts across ecosystems. Schreiner emphasized JFrog’s “universality,” arguing that the rapid shifts in preferred AI developer tools make it risky to bet on a single vendor partnership. He said JFrog would like to work with multiple AI and LLM providers, but the market is evolving quickly and universality helps JFrog remain the underlying infrastructure layer.
Grabscheid elaborated on a “foundational model provider” customer using Artifactory as a control plane for AI models. He said the use case is currently focused on storage and distribution. He described the customer as having landed in Q1 with a self-hosted deployment and an Enterprise Plus subscription, then expanding in Q2 and doubling ARR to more than $1 million in ARR. Grabscheid added that JFrog has three of the top five foundational AI companies as customers, publicly naming NVIDIA as one, while stating the other two cannot be disclosed. He said JFrog is in discussions with the remaining two, which currently use homegrown tools or open-source approaches.
Cloud usage over minimum commitments and guidance approach
Grabscheid said JFrog’s cloud business grew 45% year over year for the full year and 42% in the quarter, and he highlighted a trend that re-emerged in 2025: customers consuming above minimum commit levels. He described the overage trend as broad-based across industries and tied it to increased innovation efforts and growth in AI-native package types such as Hugging Face, Conda, and PyPI.
He explained that some customers are willing to pay above minimum commitments because they lack clarity on how AI workloads will evolve. JFrog’s goal, he said, is to convert sustained over-minimum usage into higher annual commitments for better customer unit economics and improved company visibility.
On guidance, Grabscheid said JFrog changed its philosophy in mid-2024 due to larger, more complex deal dynamics, including migrations from self-hosted to cloud and security expansions. He said the company excludes its largest deals and usage over minimum commitments from guidance to establish what he called a “floor.” He referenced 31% cloud growth at the midpoint as a floor assumption absent large deals and overages, while noting there could be upside if 2025 trends continue.
Response to market reaction and AppTrust governance
Grabscheid addressed the stock reaction following news related to AI coding tools, describing three actions the company took: publishing a CTO blog post explaining JFrog’s role in binaries, authorizing a $300 million buyback after a board meeting, and focusing on execution as the ultimate proof point.
Near the end of the session, Schreiner discussed governance needs and recordkeeping as AI use expands. He said JFrog’s governance-related capabilities introduced at the company’s swampUP user conference in September 2025 were aimed at addressing customer pain points around maintaining auditable records of “gates” passed during application builds. He said JFrog is rolling out its AppTrust solution to customers this year to store a digital record at every gate for every build, positioning it as a governance layer that supports auditability beyond what an AI chat record could provide.
About JFrog (NASDAQ:FROG)
JFrog is a software company specializing in DevOps solutions designed to streamline the management, distribution and security of software binaries. Its core offering, JFrog Artifactory, serves as a universal artifact repository manager compatible with all major package formats, enabling development teams to store, version and share build artifacts across the software delivery pipeline. The company’s platform also includes tools for continuous integration and delivery (CI/CD), security scanning and release automation.
Among JFrog’s flagship products are JFrog Xray, a security and compliance scanning service that analyzes artifacts and dependencies for vulnerabilities; JFrog Pipelines, a CI/CD orchestration engine that automates build and release workflows; and JFrog Distribution, which accelerates the secure distribution of software releases to edge nodes and end users.
